The vast network of compromised computers, dubbed TDL-4, relies on a powerful rootkit of the same name that can conceal itself, as well as other types of malware, on an infected system, Kaspersky researchers Sergey Golovanov and Igor Soumenkov wrote in a report released Monday.
TDL-4, the fourth and latest version of the TDSS family of malware, was developed late last year and includes changes that affect nearly all of its components. The bug first appeared in 2008.
Malware in the TDSS family is the “most sophisticated threat today,” the researchers said.
The TDL-4 botnet is protected against disruption owing to a unique algorithm that its operators have developed to encrypt the communications between infected computers and command-and-control (C&C) severs.
Notably, in the latest version, those behind the malware swapped out the algorithm, RC4, previously used to encrypt the protocol used for communication between bots and C&C servers. The new algorithm, which uses the domain names of the C&C servers as encryption keys, ensures the botnet will run seamlessly, evades network traffic analysis and blocks other criminals from taking control.
Another aspect that makes the botnet particularly durable is its use of the Kad Network, a public peer-to-peer (P2P) file-exchange network, to transmit commands from C&C servers to infected computers, researchers said.
“The owners of TDL are essentially trying to create an indestructible botnet,” they wrote.
David Harley, senior research fellow at anti-virus firm ESET, told SCMagazineUS.com in an email Thursday, that botnets have, since at least 2003, been communicating via P2P networks, although TDL-4's P2P topology implementation is better than most.
“Their edge comes from being adaptive rather than outstandingly original,” he said.
Typically, botnets that communicate via P2P use closed protocol connections created by the operators themselves, the Kaspersky researchers said. But the use of a public P2P network allows those behind the botnet to evade shutdown attempts by those in the computer security or law enforcement communities.
“Their edge comes from being adaptive rather than outstandingly original.”
– David Harley, senior research fellow at ESET
But Paul Ducklin, head of technology for the Asia Pacific region at security firm Sophos, cautioned against calling any malware unbeatable. In fact, he said it is mathematically impossible.
"You can never write a virus which will evade all possible anti-virus programs," he wrote in a Thursday blog post. "TDL may be tricky, and sneakily thought out, and cunningly implemented. It may be a tough analysis problem for security researchers. But it is not indestructible. No malware ever is."
The malware is spreading via a network of affiliates that receive between $20 and $200 for every 1,000 installations, depending on where the victim computer is located. Affiliates often distribute the malware via adult content and bootleg websites and video and file storage services.
During the first three months of 2011, TDL-4 infected more than 4.5 million computers worldwide. The botnet is being used to manipulate search engines, allow for the installation of additional malware and provide anonymous internet access, researchers said.
Among the new features of the malware is a file used to establish a proxy server on an infected computer to allow for the anonymous viewing of internet resources. The botnet's masterminds have leveraged this feature to earn big profits by offering anonymous internet access as a service for $100 per month.